nixpkgs/nixos/tests/grsecurity.nix

# Basic test to make sure grsecurity works

import ./make-test.nix ({ pkgs, ...} : {
  name = "grsecurity";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ copumpkin joachifm ];
  };

  machine = { config, pkgs, ... }:
    { security.grsecurity.enable = true;
      boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0;
      boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;
      networking.useDHCP = false;
    };

  testScript = ''
    subtest "grsec-lock", sub {
      $machine->succeed("systemctl is-active grsec-lock");
      $machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");
      $machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");
    };

    subtest "paxtest", sub {
      # TODO: running paxtest blackhat hangs the vm
      my @pax_mustkill = (
        "anonmap", "execbss", "execdata", "execheap", "execstack",
        "mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack",
      );
      foreach my $name (@pax_mustkill) {
        my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name;
        $machine->succeed($paxtest) =~ /Killed/ or die
      }
    };

    # tcc -run executes run-time generated code and so allows us to test whether
    # paxmark actually works (otherwise, the process should be terminated)
    subtest "tcc", sub {
      $machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");
      $machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c");
    };

    subtest "RBAC", sub {
      $machine->succeed("[ -c /dev/grsec ]");
    };
  '';
})
grsecurity: add NixOS VM test 2016-01-24 04:06:19 +00:00			`# Basic test to make sure grsecurity works`

			`import ./make-test.nix ({ pkgs, ...} : {`
			`name = "grsecurity";`
			`meta = with pkgs.stdenv.lib.maintainers; {`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`maintainers = [ copumpkin joachifm ];`
grsecurity: add NixOS VM test 2016-01-24 04:06:19 +00:00			`};`

			`machine = { config, pkgs, ... }:`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`{ security.grsecurity.enable = true;`
grsecurity test: refactoring 2016-12-10 13:38:26 +01:00			`boot.kernel.sysctl."kernel.grsecurity.audit_mount" = 0;`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`boot.kernel.sysctl."kernel.grsecurity.deter_bruteforce" = 0;`
grsecurity test: refactoring 2016-12-10 13:38:26 +01:00			`networking.useDHCP = false;`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`};`
grsecurity: add NixOS VM test 2016-01-24 04:06:19 +00:00
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`testScript = ''`
			`subtest "grsec-lock", sub {`
			`$machine->succeed("systemctl is-active grsec-lock");`
			`$machine->succeed("grep -Fq 1 /proc/sys/kernel/grsecurity/grsec_lock");`
			`$machine->fail("echo -n 0 >/proc/sys/kernel/grsecurity/grsec_lock");`
			`};`

			`subtest "paxtest", sub {`
			`# TODO: running paxtest blackhat hangs the vm`
grsecurity test: refactoring 2016-12-10 13:38:26 +01:00			`my @pax_mustkill = (`
			`"anonmap", "execbss", "execdata", "execheap", "execstack",`
			`"mprotanon", "mprotbss", "mprotdata", "mprotheap", "mprotstack",`
			`);`
			`foreach my $name (@pax_mustkill) {`
			`my $paxtest = "${pkgs.paxtest}/lib/paxtest/" . $name;`
			`$machine->succeed($paxtest) =~ /Killed/ or die`
			`}`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`};`
grsecurity: add NixOS VM test 2016-01-24 04:06:19 +00:00
grsecurity test: add note explaining what the tcc -run test accomplishes 2016-07-23 02:29:09 +02:00			`# tcc -run executes run-time generated code and so allows us to test whether`
			`# paxmark actually works (otherwise, the process should be terminated)`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`subtest "tcc", sub {`
			`$machine->execute("echo -e '#include <stdio.h>\nint main(void) { puts(\"hello\"); return 0; }' >main.c");`
			`$machine->succeed("${pkgs.tinycc.bin}/bin/tcc -run main.c");`
			`};`
grsecurity test: verify that the grsec device node is created 2016-07-17 21:38:11 +02:00
			`subtest "RBAC", sub {`
			`$machine->succeed("[ -c /dev/grsec ]");`
			`};`
nixos: flesh out the grsecurity test suite I've failed to figure out what why `paxtest blackhat` hangs the vm, and have resigned to running individual `paxtest` programs. This provides limited coverage, but at least verifies that some important features are in fact working. Ideas for future work includes a subtest for basic desktop functionality. 2016-06-09 20:14:42 +02:00			`'';`
			`})`